Home/Fortinet/FortiOS/FortiOS 7.2

FortiOS 7.2

SKU 7.2

Fortinet Os Release · FortiOS Series

Curated Fortinet release notes ↗ Curated from vendor policy · verify against the vendor before acting
FortiOS 7.2 is at risk. Vendor support is ending soon. Fortinet support ends (+73d).

Is FortiOS 7.2 still maintained?

For now. Fortinet maintenance for FortiOS 7.2 ends on 2026-09-30, with engineering fixes (incl. security) stopping 2025-03-31. Schedule the upgrade before then. See Fortinet's lifecycle bulletin.

When do security fixes for FortiOS 7.2 stop?

Engineering fixes for FortiOS 7.2 — including security patches — stop on 2025-03-31. After that date, a device on this release cannot be patched against newly disclosed vulnerabilities without upgrading, which is the point that matters for KEV exposure and compliance.

What should I upgrade FortiOS 7.2 to?

Upgrade to a currently maintained Fortinet release. Check the release-train table on the vendor page for the nearest supported version.

What known-exploited CVEs apply to the FortiOS 7.2 past end of support?

4 CVEs in CISA's Known Exploited Vulnerabilities catalog affect Fortinet FortiOS. Because FortiOS 7.2 is past end of engineering, it will not receive fixes for them — a device left on this release is exploitable with no patch available. Upgrade to a maintained release. See the Known Exploited Vulnerabilities table below for the full list.

Known Exploited Vulnerabilities

This device is past Fortinet's security-support date. 4 CVEs in CISA's Known Exploited Vulnerabilities catalog apply to the platform it runs. Fortinet is not issuing patches for this model. Isolate, compensate, or refresh.

CVE KEV added Vulnerability Flags
CVE-2024-21762 Fortinet FortiOS Out-of-Bound Write Vulnerability Ransomware
CVE-2023-27997 Fortinet FortiOS and FortiProxy SSL-VPN Heap-Based Buffer Overflow Vulnerability Ransomware
CVE-2022-41328 Fortinet FortiOS Path Traversal Vulnerability
CVE-2022-42475 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability Ransomware

Source: CISA Known Exploited Vulnerabilities catalog. The Ransomware flag reflects CISA's own knownRansomwareCampaignUse field, set when the CVE has been observed in ransomware campaigns per their threat intel. It's not a property of the vulnerability description itself.

Correlation is at the platform level, not per-OS-version. Not exhaustive: KEV only lists actively-exploited CVEs and many relevant unexploited vulnerabilities are not here. Verify against vendor security advisories (PSIRT, JSA, PAN-SA) and NVD before acting. See compensating controls if refresh isn't immediate.

FortiOS 7.2 Release Lifecycle

FortiOS 7.2 is a Fortinet FortiOS software release. Releases are maintained on a fixed schedule: Fortinet ships fixes and security patches until the release reaches end of engineering, after which a device must be upgraded to a maintained release to stay patchable. The dates below are milestones for the software train, not for any specific appliance — hardware running this release has its own separate lifecycle. Fortinet support for this product is ending soon. The last date of support is . After that date, no further software updates, security patches, or hardware replacements will be provided.

Lifecycle Milestones

Lifecycle notice published 4y 4mo ago
End of software maintenance 1y 4mo ago
End of security vulnerability support 1y 4mo ago
Last date of support in 2mo
Applicable Platforms
↑ Top